Fix for CVE-2008-0006 - PCF Font parser buffer overflow.

(cherry picked from commit f09b800)
XQuartz · Jan 17, 2008 · 73abb37 · 73abb37
1 parent 0dbe1a0
commit 73abb37
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/dix/dixfonts.c b/dix/dixfonts.c
@@ -329,6 +329,13 @@ doOpenFont(ClientPtr client, OFclosurePtr c)
 	err = BadFontName;
 	goto bail;
     }
+    /* check values for firstCol, lastCol, firstRow, and lastRow */
+    if (pfont->info.firstCol > pfont->info.lastCol ||
+       pfont->info.firstRow > pfont->info.lastRow ||
+       pfont->info.lastCol - pfont->info.firstCol > 255) {
+       err = AllocError;
+       goto bail;
+    }
     if (!pfont->fpe)
 	pfont->fpe = fpe;
     pfont->refcnt++;